anthonym16 thanks for the post. Ive managed to make a lot of progress so far due to your information. I've gotten to an interesting sticking point though. When I have a user log in with their username and password, it fails the first time, when they try again right away it succeeds and adds them as a user. Any thoughts?

Edit:
It's adding the user on the first failed attempt allowing them to log in successfully on the second attempt.

Where do you have your hook in login.php? In my 3.8.1 login.php file, it's on line 100. It seems like the the ldap plugin is firing correctly but in the wrong place? If the hook is in the right place, my next thought is maybe your cookies are not working properly.

In Haqa's code, once an email is found in AD, this line executes:
Then, in login.php, after the correct hook location, GPC['cookieuser'] is passed into verify_authentication().

I'm still trying to learn the hooks system and vb myself. I only have a couple weeks of head start on you... :)

Mine's on line 100 as well


if ($vbulletin->GPC['vb_login_username'] == '')
{
eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes)));
}
($hook = vBulletinHook::fetch_hook('ldap_login_hook')) ? eval($hook) : false;

I'm extremely new to VB so I know very little about the system.

When you mentioned to follow the directions here
https://vborg.vbsupport.ru/showthread.php?t=148573
did you intend for that plugin to also be installed along side Haqa's?

I think I'm also having problems creating the hook as I've never done this before. Now that I think of it, i didn't even create a hook yet.

@anthonym16: You are a genius! Thanks. I hope you don't mind if I borrow some of that for the next release? (Credit given of course!).

@n0manarmy: The biggest problem I had with the plugin was getting it to fire at the right point in the login process. Too late and you'll get the effect you are describing with the use created correctly but the login failing first time.

H.

That's my plan - I hate having to modify the main code because it breaks every time you upgrade.

That's not quite would SHOULD have happened (Need to check why it didn't work as it should). What should happen is that if you login with a different account name BUT THE SAME EMAIL then the account should get renamed!

H.

I'll hang tight then and wait to see how the update goes. I can get people in to the system now, even though it takes two login attempts.

Hi Haqa,

I have went through your code, and added
under your code
and change your LDAP bind code like this
I could ignore your "ldap_anon_bind", "ldap_bind_dn" and "ldap_bind_password" options.
Now, I can get it work with my vBulletin 3.7.6, but I got the same problem with n0manarmy , that's when a domain user login for the first time, it returns "password error" message, when login for the next time, third time, etc., it's ok.

In my poinion, the reason I got this problem is the position of the hook "global_complete", what do you think? Thanks!

Any updates on this? Not that I want to rush you or anything but I want to get VB live and active with my students and I don't want to tell them that the registration process requires one failed logon to get an account :)

I've followed all the instructions and cannot get the logon to work with 3.8.2 and 2003 active directory.. would really love an update on this one.

Is it possible to put a wait somewhere in the process so that if it's just a random time delay issue that this could circumvent that? Maybe a 3 second wait with a message saying "One moment, checking your account status."

I've now tried the instructions using 3.7.6 and have the same issue. Doesn't even look like it's trying to access LDAP. I just get an invalid username/password. Not sure about configuring the login.php and where you set the plugin firing order? Any detailed instructions on how to configure this step-by-step would be greatly appreciated as I'm new to vBulletin. Thanks.

Hi,

I have managed to get the plug-in working with v3.7.6. However I am also facing the same issue as n0manarmy whereby a user who logs in to vB for the first time (who doesn't have an account in vB) using this LDAP plug-in will not be successful. Subsequent log-ins will then be OK. Reason is that first timer needs to have his/her account created in vB and this plug-in is used to create that account. Therefore only on 2nd and subsequent log-ins will he/she be successful. Any workaround yet?

Also I found that once this plug-in is installed, the admin cannot log-in directly from the vB mainpage (user page). The admin can only log in from the admin page. Why is that so?

Please help.

Thanks.

I have finally gotten this to work with both 3.7.6 and 3.8.2 using Windows 2003 Active Directory. The problem that I was having was the search base dn and the bind dn were causing issues. One thing to note was the bind dn requires domain\username to function correctly. The search base needed the ou that contains the user accounts in it.

The plugin creates a new user and logs them in succesfully on the first try.

I'm very sorry but due to personal reasons I'm finding I am unable to dedicate the time that a "supported" module deserves. As a result I'm removing the "supported" flag from this plugin.

This doesn't mean I'll stop helping anyone, but I'll feel a bit less bad if it takes me a week to get to it..

Once again sorry, and I hope you'll understand.

H.

Are you still using the global_complete hook for this?

I used this plugin as an example to create a version that works on a SOAP API for our custom account system, but am running into the problem that other described of getting a failed login on first attempt with new account, but being successful upon refreshing the login page. I'd rather not add new hooks to the VB code if it can be avoided.

I use the default global_complete hook, yes. Everything seems to be working fine, except password changes in Active directory aren't transferring to vBulletin... not sure why?

Excellent. Good to know that it's possible without modifying the vb code (login.php or global.php). I'm still completely stuck with the failed login message on new account creation.

Interestingly I was having your problem of password changes not updating from the external source. I added some debug code and found that without

define('DISABLE_PASSWORD_CLEARING', 1);

in config.php, the first test in the plugin was failing

$vbulletin->GPC['vb_login_password'] == '' was true

so the plugin was exiting. I re-added the line to config.php, and password changes work. However, I did notice that, because of the way my plugin is written, the old VB password will continue to work until the new external password is entered. This is because my plugin fails over to internal users if external auth fails.

Unforunately when the new external password for an existing user is set in VB upon login, I still get the failed login error message, even though the new password gets set, and you can log in using the new password by refreshing the page.

There's obviously something missing from my plugin that should be setting some cookies and/or session stuff correctly. Can't figure it out.

Can you list what you did different to get the first tries to work! thanks.

Okay looks like I got lucky.. here's what I did to fix the first time login failure..

edit the product-ldap_auth-1.5.xml either in notepad and reimport or edit the plugin in admin panel->plugin manager

Find:
at the very end of the product xml file

Add:
This is basically the std login code for vb. I have just ended up re-logging the user with the login credentials provided earlier.

So here is the quick retrace of steps.
Installation
1. Add the command define('DISABLE_PASSWORD_CLEARING', 1); to your includes/config.php - This will NOT be overwritten by upgrades, so only needs doing once.
2. Upload the file hooks_ldap_auth.xml to includes/xml under your forum.
3a. Edit product-ldap_auth-1.5.xml with the changes as above
3b. Install the modified product file using the Add/Import Product link on the Manage Products page under Plugins & Products in your AdminCP.
4. Edit LDAP Authentication Options and fill in your ldap details
5. Done.

That is because as you hit the login button the javascript in the page encrypts your password and deletes the unencypted copy (in the field) - Ever noticed that the field goes blank as you hit login? That's why. This is a sort of security feature so no one snooping on the wire can see the plain text password, however a plugin of this sort needs the plain text password to work, so if my plugin see the field empty it just gives up early because there is nothing it can do.

So you are basically re-running the login logic (It's also called earlier in the plugin), and this solves the problem? Cool.

May I include your patch in the next release?

H.

I tried jaikumarms code: it works perfect, new users become no error message ! Thanks for that.

And special thanks to Haqa for this Mod !!!

[s]I can't seem to get this working. I've got everything up and going with being able to log in and authenticating against LDAP. It immediately processes the login and the user's away and posting.

I can't get password changes working though. I tested it with an account, as soon as the password changes, they can't log in with the new password, they can only log in with the old password.

Also,

If someone changes their password through their CP, it not only breaks their old password from working, but the new one doesn't work as well.

Also Also,

It appears that by changing my password through the CP it has broken my ability to create new users....?[/s]

EDIT For follow up:

I edited the line
$show['nopasswordempty'] = defined('DISABLE_PASSWORD_CLEARING') ? 1 : 0; // this nees to be an int for the templates
To appear like above

I was able to log in again with accounts. I don't know if this was somehow reset during my monkeying or not. Everything appears to be working now, including password changes.

Ohh... hmmm
You probably want the "Disable vBulletin Users" turned on. That should (might) make it prefer the LDAP users.

What you are describing with the passwords not changing is that the user update isn't working correctly. This puzzles me because it's relatively simple code, and it's working for some people.

What kind of LDAP server are you reading from? Do you have access to the query logs to ensure that the user is validating and querying their entry correctly?

H.

Yes, that's was the idea, to trigger the re-login in-code, so that the user does not have to.

Sure, go ahead and include my patch. Thanks much for plugin, it has for sure saved me tons time.

J.

Thanks everyone. With the new redirect code, I can got straight in via our SOAP authentication.

I did have a problem with jaikumarm's patch code, when retaining client-side MD5 encoding. The last line "do_login_redirect()" was causing a loop and eventual PHP memory crash. This appears to be due to the global_complete hook being called in print_output in functions.php, which was looping back into the login process. In the original code, there was a line:

$vbulletin->GPC['vb_login_password'] = '';

This kept the plugin from firing when global_complete was called. Without vb_login_md5password being cleared, the plugin was firing everytime it would reach "do_login_redirect()", resulting in the loop.

I also notice that in jaikumarm's code, he is still using

$vbulletin->GPC['vb_login_password']

in his call to verify_authentication. Theoretically, as part of the original code, isn't vb_login_password empty at this point? I'm not sure how verify_authentication would work there with a blank password. Anyway, I didn't have problem with that, but I did have to clear vb_login_md5password just prior to calling do_login_redirect, since my opening logic in the plugin prevents firing if md5 password is empty.

Finally, in the original code, I noticed:

$vbulletin->GPC['cookieuser'] = $vbulletin->GPC['vb_login_username'];

As I was going through login.php, I noticed that it looks like cookieuser is supposed to be BOOL. Not sure this would cause any problems, but I just removed the line completely and everything works fine.

Thanks to Haqa for a good example, that allowed me to write exactly what I needed, and to jaikumarm for helping to complete the puzzle!

???

Ahh... You haven't installed LDAP support for PHP.

It can't work without it, sorry.

H.

Yah I've enabled it now. Still doesnt work when trying to log in as a test AD user. Just keeps saying invalid username /password.

I've read every page of this thread and cannot get this to work. I've follow the instructions completely, put that DEFINE piece of code in my config.php, uploaded the XML to the includes/xml dir. NOTHING.

Running Win2k 2003 with AD

I'm not sure about Windows, but the Centos RPM distro of PHP does not come with ldap support built in. I needed to install the php-ldap library.

Looks like there is a thread at http://forums.devshed.com/showthread.php?p=1173879 which covers installing PHP LDAP support for Windows, just in case.

When I get the next release of this out attached to a better hook point I think the experience will be better. Can you put a screenshot of your settings up (Or pm me your settings) so I can take a look? It sounds like you are either not querying the correct branch of the AD's LDAP or you aren't pulling the correct attributes out.

H.

Thanks for this mod Haga,

I seem to be stuck when I hit any error cases. Specifically using the vB standard_error function from within the global_complete hook causes browsers to hang when they hit this error. As a test I tried the following from the forumhome_start hook, and it was successful:

But it just wont work from global_complete...

I am running vB 3.8.2. Have you come across anything like this? Thanks

Worked for me as well.

Thanks
Kamal

This quick fix resolved the issue related to the error around first login for the user.

The odd thing is that I am using this on a 3.8.2 without this alteration and it appears to be working properly. Odd...

As for the errors not working, I've not experienced that either. Due to a fault in the AD replica I rely on a number of users password didn't get updated last time they changed them (It's still got their previous password), so they get login errors if they forget and use their current password.

I think the best (though not necessarily the easiest) solution is to persuade Jellsoft to add a hook in the login process, as IMHO that would solve almost all the problems being reported here.

I'll ask them and see what they say.

H.

One odd behaviour I've seen with this plugin is that the Option Receive Email from Other Users under the user profile is off when the user logs in with their LDAP credentials for the first time.

As we are using LDAP, new registration is turned Off under User Registration Options but Display Email is checked under Default Registration Options.
Is there some other option that I need to turn on for Receive Email from Other Users to be ON for all users by default.

Thanks

Do you deal with password changes at all? If a user who logged in via LDAP changes their password via vBulletin what happens?

The next time they log in (Not by cookies but actually enter a username and password) their password is changed back.

Unless you permit VB users (i.e. Don't turn on disable vb only users). If you allow vb only users then an LDAP user might be allowed to log in with the vb password rather than the LDAP password (if they are different). To be honest, I've never tried becuase I either use LDAP or I use vb (Without LDAP) never both.

H.

using Anthonym16's advice here I was able to get the plugin functioning to register new users. In 3.8.2, returning users couldn't get in, so I changed the lines,

and removed the mysql_real_escape_string() function call. It works!

Removing that is not a good idea. I discovered how important it was the first time someone with a single quote (Apostrophe) in their surname registered... i.e. fred.o'flintstone@somewhere.org will never be able to log in.

I very much doubt that is stopping people logging in... Certainly I've seen it working under 3.8.2 with that code in place.

H.